What the vulnerability does
01Description
Under certain circumstances a successful exploitation could result in access to the device.
CVE-2025-43875
HIGH
CVE-2025-43875: iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, iSTAR Edge G2 - Authenticated web application command injection - getOptionsInfo
CVSS base score
8.7/10
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Key dates
02Disclosure timeline
December 24, 2025
CVE published
December 24, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2026-0630 Command Injection Vulnerability on TP-Link Archer BE230 v1.2 and AXE75 v1.0
CVE-2024-50393 QTS, QuTS hero
CVE-2026-40032 UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution
CVE-2026-22169 OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins
CVE-2025-32778 Web-Check allows command Injection via Unvalidated URL in Screenshot API
